14 DAY TRIAL // The grey hat hacker known as Freedom found a large number of sites that contain cross-site scripting (XSS) and other types of vulnerabilities.
Since it’s clear that he knows a lot of things about XSS, we decided to get his opinion on the matter and asked him to share some information on what website administrators can do to avoid such security holes.
This topic of XSS flaws has been discussed a lot lately, but since it’s clear that it’s something that will not go away to soon, there can never be too many advisories on this subject and web security in general.
Softpedia: Please tell our readers a bit about XSS vulnerabilities.
Freedom: XSS (cross-site scripting) is not something that should be missed in website security. Here’s a good example of how XSS can be used.
I played an online game that a friend of mine owned. It would allow a user to enter a picture from a link. I changed this into an iframe (it was not hard to find the script he was using online).
I had the script and the issue, so I placed an iframe and asked my friend (game admin) to check my profile.
He did, and when we looked in the game logs his IP made me admin of the game. I could have done anything with that and not be blamed.
Softpedia: What are the other dangers that hide behind an XSS security hole?
Freedom: The dangers of XSS can be minor, right up to “Wow! What happened?”
XSS can be used in many ways to do many things. With the right issue "a hacker" could steal sensitive information, virus your users, steal cookies, load iframes, and make users visit bad sites.
The worst case of XSS I have ever seen was about 1 year ago. A few hackers hacked a very good online store and they had what you could call a catalogue. Well, the hackers found an XSS issue and were able to make a lot of users download a "R.A.T.(remote administration tool)".
The site’s owners never knew and still don’t know to this day that it was done.
Softpedia: How can websites be protected against XSS attacks?
Freedom: OK. So if you have been a target to XSS, you will know it’s a tricky bugger and some site administrators don’t know how to secure their assets.
Well it is pretty simple to do and there is a lot of help on the net for this, but in my opinion I would say the best ways are the following.
The first defense against XSS is the verification and filtering of web app inputs. Now, a few people here forget this, but it is a must. We have to filter both ASCII and HEX.
After you have filtered all the inputs, there is some software you can get online that will scan your site, but I would note that these applications shouldn’t be trusted 100%. They have been wrong in the past and will be wrong again!
Here is one that I think every site admin should have: http://www.acunetix.com/cross-site-scripting/scanner.htm
Softpedia: Can you give a few simple tips to website owners on this subject?
Freedom: Webmasters forget a lot of stuff, even big companies buy scripts because they see it on other websites and think if they use it, it must be secure. Well, as I reported a bit back, this is a wrong way to look at your website.
My tips for website owners are:
− never trust an outsourced script, no matter where you get it from, even if it says “100% secure.” Test it before using it! − if a user can post data anywhere on your site, I would check them places to make sure they are secure; − always check new work. Make sure it is up to standards because after all, it only takes one issue to bring the wall down.